[argyllcms] Re: Security problems in Argyll's icclib
- From: Graeme Gill <graeme@xxxxxxxxxxxxx>
- To: argyllcms@xxxxxxxxxxxxx
- Date: Sat, 04 Apr 2009 10:33:00 +1100
Roland Mas wrote:
Graeme, I'd like your opinion on this patch. It didn't apply cleanly
Well, I find it interesting that whoever originally
noticed problems, didn't bother to contact me first, all they
seemed interested in was their Linux distro. (I'm coming to the
conclusion this is pretty typical behavior, judging from similar
responses to patches to xli. Courtesy in regard to upstream seems
to be completely lacking, never mind concern about any other users
of the library).
The general issue addressed is probably fair enough, and was one
motivating factor in attempting to develop icclib4, the (still
unfinished, unreleased) ICCV4 version of icclib that has been
written with security against crafted files particularly in mind.
One of the things I realized in writing it, was that although in icclib
I had attempted to guard against wrong lengths and malloc failures,
I hadn't understood the implications of integer overflow.
The icclib4 approach is rather more robust than the patches
against the current icclib, never the less, I'll attempt to
audit the changes and update the code. (I note that
Marti Maria has had an issue with someone contributing
"security" fixes to lcms that turned out to be undesirable.)
Thanks for bringing it to my attention.
Graeme Gill.
Other related posts:
